| 
									
										
										
										
											2023-03-28 18:43:33 +02:00
										 |  |  | [Unit] | 
					
						
							|  |  |  | After=syslog.target | 
					
						
							|  |  |  | After=network.target | 
					
						
							|  |  |  | Description=headscale coordination server for Tailscale | 
					
						
							|  |  |  | X-Restart-Triggers=/etc/headscale/config.yaml | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | [Service] | 
					
						
							|  |  |  | Type=simple | 
					
						
							|  |  |  | User=headscale | 
					
						
							|  |  |  | Group=headscale | 
					
						
							|  |  |  | ExecStart=/usr/bin/headscale serve | 
					
						
							| 
									
										
										
										
											2024-09-05 12:08:50 +02:00
										 |  |  | ExecReload=/usr/bin/kill -HUP $MAINPID | 
					
						
							| 
									
										
										
										
											2023-03-28 18:43:33 +02:00
										 |  |  | Restart=always | 
					
						
							|  |  |  | RestartSec=5 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | WorkingDirectory=/var/lib/headscale | 
					
						
							|  |  |  | ReadWritePaths=/var/lib/headscale /var/run | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN | 
					
						
							| 
									
										
										
										
											2023-04-20 15:43:02 +02:00
										 |  |  | CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN | 
					
						
							| 
									
										
										
										
											2023-03-28 18:43:33 +02:00
										 |  |  | LockPersonality=true | 
					
						
							|  |  |  | NoNewPrivileges=true | 
					
						
							|  |  |  | PrivateDevices=true | 
					
						
							|  |  |  | PrivateMounts=true | 
					
						
							|  |  |  | PrivateTmp=true | 
					
						
							|  |  |  | ProcSubset=pid | 
					
						
							|  |  |  | ProtectClock=true | 
					
						
							|  |  |  | ProtectControlGroups=true | 
					
						
							|  |  |  | ProtectHome=true | 
					
						
							|  |  |  | ProtectHostname=true | 
					
						
							|  |  |  | ProtectKernelLogs=true | 
					
						
							|  |  |  | ProtectKernelModules=true | 
					
						
							|  |  |  | ProtectKernelTunables=true | 
					
						
							|  |  |  | ProtectProc=invisible | 
					
						
							|  |  |  | ProtectSystem=strict | 
					
						
							|  |  |  | RemoveIPC=true | 
					
						
							|  |  |  | RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX | 
					
						
							|  |  |  | RestrictNamespaces=true | 
					
						
							|  |  |  | RestrictRealtime=true | 
					
						
							|  |  |  | RestrictSUIDSGID=true | 
					
						
							|  |  |  | RuntimeDirectory=headscale | 
					
						
							|  |  |  | RuntimeDirectoryMode=0750 | 
					
						
							|  |  |  | StateDirectory=headscale | 
					
						
							|  |  |  | StateDirectoryMode=0750 | 
					
						
							|  |  |  | SystemCallArchitectures=native | 
					
						
							|  |  |  | SystemCallFilter=@chown | 
					
						
							|  |  |  | SystemCallFilter=@system-service | 
					
						
							|  |  |  | SystemCallFilter=~@privileged | 
					
						
							|  |  |  | UMask=0077 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | [Install] | 
					
						
							|  |  |  | WantedBy=multi-user.target |